The Laravel Licensing package by Luca Longo brings enterprise-grade license management directly into your Laravel application. It handles seat-based license enforcement, offline verification via cryptographically signed tokens, and full audit logging — everything you need if you're distributing commercial software built on Laravel.
Main Features
- Offline verification: using PASETO (Platform-Agnostic Security Tokens) v4 tokens signed with Ed25519. This is a modern, safer alternative to JWTs, and clients can verify licenses without a live server connection
- Seat-based limits: restrict a license to a set number of devices or users, with activation and revocation support
- License Scopes: isolate multiple products under separate signing keys so a key compromise in one product doesn't affect others. Each product gets its own signing key, meaning you can rotate or revoke one without touching the rest of your lineup
- Grace periods, renewals, and expiration: full lifecycle management out of the box
- Audit logging: every license event is recorded automatically
- Flexible assignment: attach licenses to any model (users, teams, organizations, etc.)
Usage
After installing the package, publishing the config, and running migrations, you'll need to generate a root certificate and at least one signing key before issuing any licenses:
php artisan licensing:keys:make-rootphp artisan licensing:keys:issue-signing --kid signing-key-1The --kid flag sets the key identifier. If you're using License Scopes, you can also pass --scope to tie the signing key to a specific product.
Create a license:
$license = License::createWithKey([ 'licensable_type' => User::class, 'licensable_id' => $user->id, 'max_usages' => 5, 'expires_at' => now()->addYear(),]); $licenseKey = $license->license_key; // e.g., "LIC-A3F2-B9K1-C4D8-E5H7"Register a device against a license:
$usage = Licensing::register( $license, 'device-fingerprint-hash', [ 'device_name' => 'MacBook Neo - Personal' ]);The device identifier can be any unique string — a hash of hardware attributes, a UUID, or whatever makes sense for your application. The package doesn't enforce a specific format.
Issue an offline verification token:
$token = Licensing::issueToken($license, $usage, ['ttl_days' => 7]);Check license status:
if ($license->isUsable()) { $days = $license->daysUntilExpiration();}The token is a time-limited, cryptographically signed payload that the client can verify locally without calling back to your server on every request.
Beyond the core workflow, the package also provides options for retrieving existing license keys, verifying their validity, and regenerating them when needed — useful for key rotation or when a key is lost.
Companion Packages
The ecosystem includes two additional packages:
- laravel-licensing-client — validates licenses against a licensing server and handles offline token verification on the client side
- laravel-licensing-filament-manager — a Filament admin panel for managing licenses, monitoring seat usage, and rotating signing keys
Learn more about the package on GitHub at masterix21/laravel-licensing. Full documentation is also available in the docs folder of the repository.
